Cloaked code sneaks by corporate security

A new technique for disguising programs aimed at cracking corporate networks could raise the stakes in the heated battle between hackers and security experts.

During a seminar last week at the CanSecWest conference in Vancouver, British Columbia, a hacker named "K2" revealed a program he created that can camouflage the tiny programs that malicious hackers generally use to crack through system security.

The cloaking technique is aimed at foiling the pattern-recognition intelligence used by many intrusion detection systems, or IDSes--the burglar alarms of the Internet.

"Trust me, this will blow away any pattern matching," said K2. The hacker would not reveal his real name because he also works as a security consultant.

When a security hole is found on a corporate network, hackers usually will find several ways to exploit it. To manage the onslaught, the makers of intrusion-detection systems continually update their own software to keep track of new variants of an already familiar theme.

Now the balance has changed, K2 said. With a technique called polymorphic coding, attackers could potentially change the code structure enough to fool many intrusion-detection systems--but not enough to break the initial malicious program.

"This is a way to keep the exploits brand-new, all the time," he said.

Reaction to the program among security consultants was mixed. Some downplayed the significance as a typical scenario in the battle between attackers and defenders.

"Intrusion detection is an arms race," said Martin Roesch, president of security software start-up SourceFire and the creator of the popular IDS known as Snort. "It is measure, countermeasure."

Roesch has already started to improve Snort against techniques such as K2's. "Rather than a single signature we will have to go with multifaceted rules," he explained.

However, the development has other security experts concerned that, in the time it takes for intrusion-detection system makers to modify their products, online vandals could have a field day.

Shipley likened today's intrusion-detection system to antivirus scanners, where each tries to match program signatures to a dictionary of malicious code. Like antivirus scanners, the pattern-matching technology is fallible.

"If these systems were perfect, the Melissa virus would never have happened," he said. "It's reason No. 577 to patch your servers."

Dragos Ruiu, security consultant and host of the CanSecWest conference, said the program marks only a temporary setback for makers of intrusion-detection systems.

"K2 has removed something that could have been a defensive bullet," said Ruiu, pointing to the high expectations the industry has for intrusion detections systems. "We are back to the point where we are even" with the attackers, he added.

But even K2 doesn't believe the polymorphic technique will spread quickly. Getting everything to work properly is just too difficult, he said.

"It's not really a (script) kiddie application," K2 said, referring to the lowest form of Internet hack. "It requires a lot of skill, and anyone who does have the skill will be the guy to discover the vulnerabilities first."